Use SHA-2 with Minimum 256-bit Output
When using SHA-2, ensure the hash is at least 256 bits for better security.
Plain language
When you use SHA-2, make sure the hash is at least 256 bits long-like picking a thicker padlock for better security. This is important because if you use a weaker hash, it’s like leaving the door a little ajar, making it easier for cybercriminals to break in and steal or tamper with important information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S
ISM last updated
Nov 2024
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When using SHA-2 for hashing, an output size of at least 256 bits is used, preferably SHA-384 or SHA-512.
Why it matters
Using SHA-2 outputs under 256 bits (e.g., SHA-224) reduces collision resistance, increasing the risk of forged digests and compromised integrity of files, logs and signatures.
Operational notes
Standardise on SHA-256 or stronger (prefer SHA-384/SHA-512) across applications, TLS/cert profiles and signing tools; explicitly disable SHA-224 and verify via config reviews and testing.
Implementation tips
- IT team should verify hashing protocols: Confirm that current systems use SHA-2 with at least 256-bit outputs. Review system configurations to ensure compliance and where necessary, update settings to SHA-384 or SHA-512.
- Procurement should include security requirements: Ensure new software purchases specify SHA-2 with at least 256-bit output in the security criteria. Include this requirement in vendor evaluations and documentation.
- Managers should understand the risks: Educate team leaders about what hashing is and why choosing at least 256-bit output is crucial for security. Use simple analogies, like padlocks and door strength, to illustrate.
- System administrators should update legacy systems: Identify older systems potentially not using SHA-2 with the required output size and plan for updates or replacements. Schedule upgrades during low-traffic periods to minimise disruptions.
- Security officers should conduct periodic reviews: Set an annual review to check if SHA-2 is implemented with at least 256-bit output. During these reviews, update any systems that might have fallen behind on this requirement.
Audit / evidence tips
- AskThe list of systems using hashing algorithms: Request documentation clearly listing what hashing algorithms are in use and on which systems GoodIncludes a complete and up-to-date list detailing output sizes for each system
- AskProcurement records for new software: Review procurement records to see if the SHA-2 requirement is specified
- AskSystem configuration records: Request system settings or configuration files for networks employing hashing GoodConfiguration will explicitly show the chosen algorithm and bit-length
- AskSecurity training materials: Check team training records to see if hashing and the importance of a 256-bit minimum are covered
- AskRecent system audit reports: Obtain audit documents covering cryptographic compliance reviews GoodAudit report identifies any gaps and confirms compliant systems
Cross-framework mappings
How ISM-1767 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1767 requires that when SHA-2 is used for hashing, organisations use an output size of at least 256 bits (preferably SHA-384 or SHA-512) | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.